Ducktail Hacker Group Evolves, Targets Facebook Business Accounts

Written by

A Vietnam-based hacking operation dubbed "Ducktail" is targeting individuals and companies operating on Facebook's Ads and Business platform.

Security researchers at WithSecure discovered the campaign earlier this year and described new developments in an advisory published earlier today.

"We don't see any signs of Ducktail slowing down soon, but rather see them evolve rapidly in the face of operational setbacks," commented WithSecure researcher Mohammad Kazem Hassan Nejad.

"Up to this point, the operational team behind Ducktail was seemingly small, but that has changed."

In fact, recent Ducktail activity observed since early September featured new avenues to spear-phish targets, including WhatsApp.

WithSecure has also noted changes to malware features with a more robust method to obtaining attacker-controlled email addresses, as well as making the malware look more legitimate by displaying dummy documents and video files upon launch.

Further, Ducktail has been conducting advanced and continuous defense evasion efforts by changing file format and compilation and countersigning certificates.

The group would have also invested in resource development and operational expansion by setting up other fake businesses in Vietnam and onboarding affiliates into the operation.

"Ransomware attacks get a lot of attention, but threats such as Ducktail can cause substantial financial and branding damage and shouldn't be overlooked," explained Paolo Palumbo, vice president of WithSecure.

"With the increased activity, new affiliates, and fake businesses, we expect an increase in Ducktail related incidents for the foreseeable future."

To defend against this and similar campaigns, WithSecure researchers have recommended companies ensure their employees have separate accounts for personal and business purposes.

"Using the same resources for both personal and business can be quite problematic," said WithSecure's global head of incident response John Rogers.

"For example, investigating a possible Ducktail incident may require logs about an individual's Facebook history, which can have many unanticipated operational, ethical, and legal implications. It's an issue that concerns organizations and their employees, so they both need to understand the risks in these situations."

Additional tips to protect against Ducktail attacks are available in the WithSecure advisory. Its publication comes weeks after a report by Lookout suggested mobile-based credential theft attacks against federal government employees increased by 47% from 2020 to 2021.

What’s hot on Infosecurity Magazine?